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(57) Abstract 



Radio frequency based cellular telecommunication systems often require a subscriber (10) to maintain a proprietary ident- 
ifier (19) or serial number (18) which is transmitted to a fixed network communication unit (20) to verify the authenticity of the 
subscriber (10). An enciphering and call sequencing method is provided which can decrease unauthorized detection of these pro- 
prietary ID'S (18, 19). This method permits efficient roaming by allowing authentication variables for multiple calls to be sent 
from the "home" system (20) to the "visited" system and stored by the "visited" system for use with subsequent calls. Further, a 
method is provided which forces the authenticating mobile (10) to use information that only it has available to itself. Further- 
more, a method is provided which allows continued encryption integrity during handofTs by maintaining a record of pseudo ran- 
dom events between a subscriber unit (10) and any source radio communication unit (20) (e.g., the number of handofTs that the 
subscriber (10) has undergone during a given conversation). 
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METHOD FOR AUTHENTICATION AND PROTECTION OF 
SUBSCRIBERS IN TELECOMMUNICATION SYSTEMS. 



TECHNICAL FIgLD 

This invention relates generally to communication systems and more 
particuiarfy to radio frequency (RF) cellular telecommunication systems. 

5 

BACKGROUND OF THE IISIVENTIQN 

Cellular radio telephone systems typically include subscriber units 
(such as mobile or portable units) which communicate with a fixed network 

1 0 communication unit via RF transmissions. A typical fixed communication 
network includes at least a base station and a switching center. The 
switching center a subscriber unit accesses may not be his "home" 
switching center, in this case, the subscriber unit is termed a roamer. The 
switching center he accessed (temned the "visited" switching center) will 

1 5 communicate with his "home" switching center via the public switched 
telephone networi< (PSTN). One responsibility of the fixed network 
communication unit is to grant use of the communication system to the >„ 
subscriber unit after the requesting subscriber unit meets the authentication ; 
requirements of the system. In a typical cellular telephone communication 

20 system, each subscriber unit Is assigned a telephone number (mobile 
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Identification number) (MIN) and an identification numljer (or serial 
number) (SN) which uniquely Identifies the subscriber to any fixed network 
communication unit. Each subscriber unit has a unique identification 
number that distinguishes It from other subscriber unHs. The fixed networi< 

5 communication unit has access to these identification numbers through a 
database. Often these numt)ers are used by the fixed networic 
communication units to bill subscribers for the time the subscriber uses the 
system. In the case of a roaming subscriber unit, the "visited" switching 
center must communicate with the subscriber's "home" system database to 

1 0 authenticate and bill the subscriber unit. If this communication is required 
for each call a subscriber unit makes, significant call setup delays will 
occur. When the subscriber cans another unit, he enters the phone number 
he wishes to call. The dialed phone number becomes the data to be sent 
to the fixed networic communication unit. Data may also Include other 

1 5 Information regarding a third communication unit such as a unit's location. 

Detection of a legitimate subscriber's identification number may be 
accomplished by RF eavesdropping or by purposeful or Inadvertent 
divulgence of the MIN/SN combination by the radio telephone installer. 
Once the subscriber's telephone number and Identification number is 

20 known (stolen), a thief may reprogram another subscriber unit with the 
stolen identification number causing two or more subscriber units to have 
the same MIN/SN combination. Cellular radio telephone systems have 
authentication procedures to deny access to subscribers not having 
legitimate Identification numbers, but do not have the capability to detect 

25 multiple users or effectively neutralize the effect of an Installer leaking 
subscriber Identification numbers. Therefbre, the legitimate user is billed 
for both the thiefs use and his own use. 

Several authentication techniques are known. EIA-553 section 2.3 
specifies that each subscriber shall have a MIN and a factory set SN. The 

30 telephone number which the subscriber is attempting to contact is the data 
that is transmitted by the subscriber to the fixed networic communication 
unit. Authentication is granted by this system If the MIN and conresponding 
SN are found In the fixed network communication unit database. 
Unfortunately, EiA-553 does not require the enclphemient of the MIN or SN 

35 t)efore transmission to the fixed networt^ communication unit thereby 

permitting direct RF detection of any MIN or SN. In addition, this technique 
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fails to provide protection against a tiiief that acquires a MtN/SN from an 
installer. 

Another authentication technique is described in European cellular 
communication system recommendations generated by the Qroupe 
5 Special Mobile (GSM); see sections: 02.09, 02.17, 03.20, and 12.03. This 
method additionally requires the subscriber to openly transmit a temporary 
mobile subscriber ID (TMSI) to the fixed networic communication unit; the 
fixed networt< communication unit generates and sends a random number 
(RAND) to the subscriber. The enciphering technique requires the 

1 0 subscriber unit to autonomous: retrieve at least three endphering 
elements from its memory: a predetermined ciphering key, an SN 
(individual subscriber authentication key) and a MIN (international mobile 
subscriber identification number - IMSI). The subscriber then enciphers its 
SN and MIN using the cipher to construct the RAND into a signed response 

1 5 (SRES). The subscriber unit transmits this signed response back to the 
fixed networi< communtoation unit where the fixed network communication 
unit checks the SN, MIN, and ciphering key against its database using the 
subscriber's temporary ID (TMSI). 

The fixed network communication unit generates its response to the 

20 same random numt>er using the information retrieved from the database 
and compares the subscriber signed response to the fixed networtc 
communication unit generated response. If the responses are substantially 
equivalent, authentication is confirmed. The dialed telephone number is 
only allowed to be transmitted after authentication is granted. This system 

25 affords some protection against a thief that acquires the MIN/SN from an 
installer by enciphering the SN and reassigning a temporary TMSI each 
time the subscriber enters a different cell area 

Although one technk|ue enciphers the subscriber's serial nunriber 
before transmission, neither system detects multipie users. Detection of 

30 thieves once they acquire access is important to maintaining a secure 
system. Moreover, the random number transmission (required for 
encipherment) necessitates additional communication between the 
subscriber unit and the fixed network communication unit each time a call 
is made which increases the probability of transmission error and adds a 

35 transmission step to the fixed network communication units authentication 
protocol routine. In addition, authentication must be verified before the 
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system will altow data to bo accepted. Therefore data must be sent after 
the steps of the authentication procedure are complete. 

Secure cellular systems also offer protection of conversations after 
authentication is granted. As is typical for cellular systems, the process of 
5 handing off a subscriber unit to another channel is needed for various 
reasons. These Include maintaining communication link quality, 
minimizing co-channel interference between subscriber units, and 
managing traffic distributions. A handoff Involves the transfer of 
communication betwroen channels. Channelization may be in the fonn of 

1 0 time slots, frequencies, codes (as In spread spectmm type systems) and 

various combinations of these medium divisions. Handoffs include intracell 
handoffs, intercell handoffs. and intercluster handoffs. Intracell handoffs 
are those transfers between channels (voice or data) In the same cell; 
intercell handofte are those transfers between channels in different cells, 

1 5 and Intercluster handoffs are those transfers between channels in cells 
parented from different cell control units. In secure cellular systems 
wherein voice and/or data Information is encrypted to avoid unauthorized 
detection of such infomiation, handoffs Introduce additional complications 
to maintaining encryption integrfty. 

20 In systems where absolute frame synchronization between base 

sites is not required, such as the proposed TDMA U.S. Digital Cellular 
system, subscriber units are only told which slots within a frame they must 
synchronize to after they are handed off. In a secure system however, 
voice encryption between the subscriber unit and any source basesite 

25 transceiver, typically requires an agreed starting point and must continue 
through the length of the call in-espective of the number of handoffs. At 
handoff. a conversation is already in progress, therefore lengthy gaps 
required to establish encryption synchronization must be avoided. Also, an 
Intruder monitoring the channel at any point in the conversation should not 

30 be able to gain sufficient infonnatlon to aid in any cryptanalysis effort. 

One solution involves operating the encryption algorithm with a 
common masic that is reused for each slot of speech. However, this 
severely compromises the security of the encryption process since the 
same crypto-mask is repeated for each time slot thereby affording an 

35 intmder repeated chances for analyzing the same encyption process and • 
consequently increasing the probabinty of decryption. At handoff this - : 
involves passing this mask from the source basedte (current serving 
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basesite to the target basesite. This altows the encryption process to 
remain synchronized to the handoff channel. Also, since the speech coder 
continues to generate it's output sequence during pauses in the 
conversation (quiet periods) an intruder has a good chance of determining 
5 the encryption process during these pauses. 

Another solution involves restarting the encryption process at each 
handoff. However, this requires the repetition of the exact cipher stream 
after each handoff. An Intruder's probability of decoding the cipher stream 
each time a handoff occurs is greatly increased: particularly In microcellular 

1 0 systems. The method of encryption must allow for a high degree of 

variability to mal<e decryption more difficult. As during the authentication 
process, any variable used in the encryption process should not be 
communicated over the airwaves. 

Another solution involves using a continuous stream encryption 

1 5 process wherein the process must maintain Its continuity during all 

handoffs for the same conversation. For example, the exact starting point 
would have to be agreed upon by the subscriber unit and source basesite. 
At handoff, the current contents of the encryption process as well as the 
exact point of transfer is agreed upon by the source basesite and the target 

20 basesite. This method does not readily lend itself to a non-synchronous 
system since the target site may not know the current stage of the 
encryption process. Also, the length of messages between basesites 
would increase since a large numt>er of memory elements may be needed 
to defme the history of the encryption algorithm as started by the subscriber 

25 unit so that the target site can generate the cunrent state of the encryption 
process. 

There exists a need for a substantially enhanced authentication 
technique for a cellular telecommunication system that detects fraudulent 
users and efficiently protects identification numbers from unauthorized 

30 detection. This technique should permit reamers to access "visited** 
systems in an efficient and timely manner, while enabling the "visited" 
system to determine the legitimacy of the subscriber unit. The 
authentication method should restrict an illegitimate user's capacity to 
utilize the system in the case where access is Inadvertently granted. 

35 Further, an adequate level of security resulting from endpherment should 
not require additional transmission processes or inject higher error levels 
during the authentication process: There also exists a need for an 
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encryptlon process for use in a synchronous channel or a non- 
synchronous channel system that provides encryption integrity during 
handoffs between channels such that an Intmder is substantially prevented 
from decoding the encryption process. 

5 

PRIFF ff^ f^^^^^Rv THF INVENTION 

These needs and others are substantially met through provision of 
the method for authentication and protection of subscribers In 
10 telecommunication systems disclosed below. This method describes an 
authentication technique for use between a first communication unit, such 
as a subscriber unit, and a second communication unit, such as a fixed 
network communication unit, wherein the first communication unit modifies 
an ID, known to both the first communication unit and the second 
15 communtoaUon unit (such as a serial number), using data as one 
enciphering key and a second ID (such as a Personal Identification 
Number - PIN) as a second enciphering key as well as a networi^ issued 
random number (RAND) as a third enciphering key. An historic non- 
arbitrary value of predetennined communication events, such as a count of 
20 the number of telephone calls made by a subscriber or a count of the 
number of handoffs that have oocunred for the subscriber unit, is 
maintained in both the first and second communication units. This value 
(county is historic because it represents past telephone calls attributed to a 
communication unit, and it Is non-arbitrary because this history of 
25 transactions (i.e.. number of calls made) serves to identify an out-of-sync 
communication unit. 

The first communteatlon unit transmits (via RF signals) the modified 
ID and count to a second communication unit. The second communication 
unit compares the count maintained by the first communication unit to the 
30 count maintained by the second unit. A count discrepancy indicates a 

different number of calls on one unit Indicating a multiple user whose count 
Is out of sequence. The second communication unit performs the same 
enciphering method on the known serial number using the data received 
and a known second ID. The second communication unit compares the 
35 recehred modified serial number and the serial number generated by the 
fixed networi< communication unit to determine if the serial number is valid. 
The Invention is designed to substantially decrease unauthorized use of a 
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first ID of a communication unit. The authentication method does not 
require the second ID to ever be transnriitted tiy RF. 

This invention provides a means for detecting muitiple subscrilsers 
using the same serial numbers and telephone numbers. Moreover, if a 
5 multiple user copies the information transmitted and uses the same 

information to access the system^ the multiple user will be limited to only 
calling the telephone number that is in the authentication message; not a 
telephone number of his own choice. This authentication invention also 
reduces authentication enrore by making more efficient use of the data 

1 0 transmitted and a second ID» by using them as a part of the cipher; the 

enciphering means does not require an additional RAND stream to be sent 
by a fixed network communication unit to t>e used as the common 
enciphering base and thereby eliminates this additional transmission and 
therefore decreases the probability of enrors. This authentication scheme 

1 5 penmits efficient roaming by allowing authentication variables for muKipie 
calls to be sent from thir "home" system to the "visited" system. These 
authentication variables can t>e stored by the "visited" switching center and 
used on subsequent calls. This storing allows the "visited" switching center 
to authenticate all subsequent calls without requiring real-time 

20 communication to the "home" system and without the associated call setup 
delays. It is also essential to retain the subscriber's secret keys (PIN) in the 
"home" switching center and not share this private information with the 
"visited" switching centers. 

A method of stealing cellular service is to flash from a fraudulent 

25 mobile and take over an existing call. This fiash message woukJ tell the 
fixed networt^ that the legitimate user is making a third party call. One 
possible solution to this problem is for the fixed networic to initiate an 
authentication procedure on the traffic channel. However, the fraudulent 
mobile can allow the legitimate mobile to complete the authentication 

30 process. Another solution to this problem is to force the authenticating 
mobile to use information that only it has available to itself. A particular 
embodiment to this solution would be to excluslve-or (XOR) the dialed 
digits of the flash message with the output of the authentication algori* n 
and then send this response to the fixed networt< for verification that th^i 

35 legitimate mobile is really making a third party call. In the above scenaro. 
since only the fraudulent mobile has the dialed digits that it is sending, ine 
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legitimate mobile cannot correctly authenticate the flash message. Thus 
the fixed network would not complete the call from the fraudulent mobile. 

In a secure celluleu' communication system using an encryption 
process utilizing at least one encryption key for encrypting infomiation 

5 communicated over a channel, the method for presenting encryption 
integrity during a handoff includes: also maintaining a record of pseudo 
random events associated with a subscriber unit, such as the number of 
handoffs the subscriber unit has undergone during a given conversation 
with any number of source radio communication units; communicating the 

1 0 rocom. such as over a landline medium to prevent detection by an intwder, 
to a target radio communication unit; and restarting another encryption 
process for the subscriber unit using the record as an encryption variable. 

RPiPP r^P.<Sf^RlPTinNI OF THE DRAWINGS 

15 

FIG. 1 is a block diagram of a typical subscriber communtoation unit and 
fixed network communication unit. 

FIG. 2 is a flow chart of the Identification enciphering method used by a 

subscrik>er communication unit. 
20 FIG. 3 is a flow chart of the authentication method used by a fixed networit 

communication unit in accordance with the invention. 

FIG. 4 is a flow chart generally depicting the method of preserving 

encryption Integrity during handoffs in accordance with the Invention. 

FIG. 5 is a diagram generally defecting the encryption elements In 
25 accordance with the invention. 

FIG 6. Is a flowchart of an alternative authentication method used by a fixed 

network communication unit. 

FIG. 7 is a diagram depicting a method of stealing cellular communication 
senrice which is eliminated by the authentteation method shown In FIG. 6. 

30 

RF.QT MODE OF OPPRATION 

FIG. 1 generally depicts a subscriber communication unit (10) such 
as a subscriber telephone and a fixed networic communication unit (20) 
35 such as a cellular telephone basesite and switching center. The subscrit>er 
communication unit (10) Is comprised of a microprocessing stage (12), a 
non-voiatlle memory unit (1 1), a radio frequency (RF) stage (13), all as well 
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understood in the art. Additional elements include a data input stage (14) 
such as a key entry pad on a telephone (to enter a telephone number - 
data), a subscriber call sequence counter (15), and an output from an 
enciphering stage referred to as the enciphered serial number (16). 
5 Within the non-volatile memory unit (11) resides the serial number 

(18) (for the subscriber unit), the PIN (19), and the subscriber telephone 
number (1 7) (which can have, for example, characteristics of a Mobile 
Identification Number (MIN)). The PIN Is a second ID known only to the 
subscriber unit and the fixed network unit. For example, it should not be 

1 0 available to an installer of the subscriber unit, it shouki only be available to 
a legitimate user of a subscriber unit and a fixed networi^ communication 
unit database. The subscriber need only enter the PIN one time to activate 
it. The PIN may be changed by the subscriber, but the change must also 
be made known to the fixed networic unit. These identifiers need not 

1 5 necessarily be numbers but may correspond to any attribute capable of 
being identified by the fixed networic communications unit. An alternative 
embodiment, for example, in a cellular system, may include a stored look 
up table containing multiple sets of serial numbers, PIN's, and telephone 
numbers with each set of klentifiers corresponding to a specific cellular 

20 area or fixed network communication unit. 

The fixed network communication unit (20) includes a switching 
center which is comprised of a microprocessing stage (22), a database 
(23), and a link to a basesite radio frequency stage (21 ), all as well 
understood in the art. Additional elements include a fixed network unit call 

25 sequence counter (24) and an enciphered serial number generated by the 
fixed network unit (25). Additionally, the switching center has an interface 
to the Public Switched Telephone Networic (PSTN) (60). The PSTN link 
can be used for "visited* switching center to "home"* switching center 
communications as required for authentication and billing of roaming 

30 subscriber units. 

The database includes information regarding the subscriber unit's: 
serial number (18), PIN (19), and subscriber telephone number(17); the 
information is a copy of these ID'S. The serial number (1 8), PIN (1 9), and 
telephone number (17) of the subscriber communication unit (10) ^ . 

35 conrespond to the serial number (28), PIN (27), and telephone number (26) 
as stored in the fixed network communication unit (20). Communication < 
between the subscriber communication unit (1 0) and the fixed network 
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communication unit (20) is aocompfished via RF transmissions between the 
two units In aocordance with well understood cellular system techniques. 

When authentication Is required of the 8ut>scriber communication 
unit (10). the subscriber unit enciphers its serial number (18) and 

5 increments its call sequence counter (15). FIG. 2 depicts the method used 
by a subscriber communication unft to encipher Its serial number before 
transmission to a fixed network communication unit during an 
authentication request (29). This method requires use of at least two 
enciphering keys. The subscriber unit obtains the called telephone number 

1 0 (data)(30) and obtains PIN (31 ) from memory and uses at least parts of 
these two components as the enciphering keys to encipher its serial 
number (32). Alternatively, the subscriber unit obtains the called telephone 
number (DATA), a networit issued random number (RAND) (30), a current 
subscriber's system number (historical data) as well as PIN (31 ) and uses 

1 5 at least parts of these components as the enciphering keys for enciphering 
its serial number (32). If PIN and the called telephone number are 
comprised of bits, the parts of these keys to be used are the contents of the 
bits and the bit length of each key. For example, an enciphered serial 
number may have a different bit length than the unendphered serial 

20 number, or unmodified first ID. depending on ttie contents of the PIN or the 
data Varying the enciphered SN bit length may also be a function of 
another event known to both the subscriber and fixed networtc unit such as 
the time of day. 

The algorithm to integrate the enciphering keys may be varied to 
25 accommodate various levels of security depending upon the requirement 
of the system. The final step prior to transmission of the Authentication 
Response Message is to logically transform the enciphered message using 
the telephone number (data). This transformation is essential In assuring 
that a "visited" switching center can use the stored authentication variables 
30 ft received previously from the subscriber's "home" switching center. The 
authentication variables Issued by ttie "home" system make no 
assumptions about the telephone number (data) that the subscriber will 
use. Thus the "visited" system can compute the ARM based on the 
authentication variables it received from the "home" system and the 
35 received telephone number (data). The subscriber identification v^i' -r ■ : 
enciphering method does not require authentication to be confirmed by the 
fixed networit communication linft* before data Is transmitted. Combining 
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PIN with data adds the ability of the system to encipher a serial number into 
a complex code to an extent sufficient to substantially eliminate 
unauthorized detection by RF eavesdropping and unauthorized divulgence 
by installers. 

5 The modified serial number (enciphered SN) becomes a component 

of the Authentication Request Message (ARM) (35) that Is transmitted via 
RF (36) to the fixed networic communication unit Once endpherment is 
complete, the assigned telephone numkwr is obtained (33) from memory. 
This number is not enciphered as part of the authentication procedure. 

1 0 This Idemifier is a component of the ARM (35) that Informs the fixed networic 
unit that the authentication request is coming from a valid subscriber unit. 

The call sequence count is then otrtained (34) and also used in the 
ARM (35). The call sequence count is updated (incremented or 
decremented) each time a predetermined event occurs such as when the 

15 authentication procedure is initiated or when a call is completed. The 

count may be maintained by the subscriber and fixed networi< unit using a 
rollover type counter such as a ring counter. This count Is used by the fixed 
network communication unit as a means to count the number of calls made 
by each subscriber. Another suitable count to be used in conjunction with, 

20 or instead of. the call sequence count is the number of handoffs associated 
with the subscriber unit Because a record of the number of calls made by 
each subscriber is maintained by both the subscriber unit and the fixed 
network communication unit, another subscrit>er trying to use the same 
serial number will be detected because it will not have made the exact 

25 same number of calls as the legitimate subscriber. The call sequence 
count infonnation is communicated to the fixed networi< unit as one 
component of the Authentication Request Message. The ARM can be 
communicated in any acceptable format or in any number of stages. 
Components of a typical ARM (35) include data, the enciphered serial 

30 number, the call sequence count, and the assigned telephone number. An 
aitemative embodiment would include modifying the call sequence count 
using the same enciphering method that Is used to modify the SN. This 
would further enhance the protection because the count is also disguised 
using the PIN and data; each sut)scriber would generate a different value 

35 for the same count (number of calls made). 

A fixed networi< communication unit receives a transmitted ARM and . 
uses this information to detenmine whether authentication should be V . 
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granted to the subscriber unit. FIG. 3 depicts the authentication method 
performed by a fixed network unit. The ARM is received (37) by the fixed 
networt^ unit by means of the base RF unit (21). The fixed network unit has 
access to assigned telephone number's, serial number's and PIN's of valid 
5 subscriber units through Its database. The fixed networtc unit determines if 
the assigned telephone number received in the ARM Is valid (39) by 
obtaining from the fixed networic unit database the same assigned 
telephone number (38). A comparison is made between the received 
telephone number from the subscriber unit and the valid number found in 
1 0 the database (39). If the assigned telephone number Is not recognized by 
the fixed networic unit, authentication is denied (or some other action taken) 
(40). 

If the assigned telephone number is determined to be valid (it is 
found in the database), the fixed networic unit then retrieves from the 

1 5 database the serial number and PIN corresponding to that particular 
assigned telephone number. The fixed networic unit then, uses the PIN 
from the database and the data received in the ARM as enciphering keys 
as elements of its enciphering method (44), which is the same method 
used in the subscriber unit, and generates its own enciphered serial 

20 number. The fixed networic unit compares this enciphered serial number to 
the serial number enciphered by the subscriber unit(46). If they are not 
substantially the same, then the system denies access or takes some other 
predetermined course of action (47). If they are within the acceptable 
tolerance, the received call sequence count is obtained (48) and compared 

25 (50) to the call count maintained by the fixed networic communication unit 
(49). If the counts are substantially equal, authentication may be 
confirmed (52) which is the first predetemilned course of action. At this 
point, the subscriber may be allowed to communicate with the third 
communication unit associated with the dialed number. This third unit may 

30 more generally be termed a requested communication resource. If the 

count Is not within the acceptable tolerance, authentication may be denied 
or the authorities may be notified that a multiple user is attempting to 
access the system (51). 

The fixed networic unit call counter maintains the number of times 

35 authentication is granted to a subscriber. Each subscriber has its own call 
counter Having a continuous call counting scheme between a subscriber 
and a fixed network communicatiofk unit prevents another subscriber from ^ 
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using some other subscriber's identification number because the thief 
wouid not have made the identical number of calls that the legitimate 
subscriber made. This discrepancy is flagged by the fixed networic unit 
when it compares the two counts. 
5 Protection against illegitimate users Is further enhanced by the 

encipherment method's use of the enciphered dialed telephone number 
and the PIN (which is not transmitted). ^ Without an illegitimate user knowing 
a subscriber's PiN and the exact algorithm that enciphers the serial 
number, a thief is limited to merely copying the authentication message of a 
1 0 subscriber and repeating this message. Each time a subscriber dials a 
different telephone number, a different authentication request message is 
generated because each subscriber has a different PIN; each subscriber 
generates a different authentication request message for the same 
telephone number. 

1 5 Although a thief may detect the call sequence count (because it is 

not enciphered In the ARM) and update it, a connect count would only allow 
the thief to gain authentication for the enciphered dialed telephone number 
he intercepted. Therefore the illegitimate user can only communicate to the 
subscriber whose enciphered telephone number matches that copied from 

20 the ARM. 

An alternative emtKxKment comprising the call sequence count may 
allow each subscriber to maintain more than one call counter where a 
separate call counter is required for each fixed networic communication 
unit. This embodiment would find use in a cellular communication system 
25 which allowed a subscriber to use multiple fixed networit communication 
units. Another aitemative embodiment to the flow in FIG. 3 may require the 
step of comparing the call sequence counts (50) to occur before the step 
Involving the comparison of enciphered serial numbers (46). 

In FIG. 7, a method of stealing cellular sen/lce is shown. In 
30 particular, an illegitimate user (704) waits until a legitimate user (702) 
makes a valid call. The illegitimate user then overpowers the traffic 
channel between the legitimate user (702) and a base site (700) with a 
third party flash call. The illegitimate user (704) drops off of the traffic 
channel while the base site (700) sends an authentk»tion request 
35 message to the legitimate user (702). The legitimate user (702) responds 
to the authentication request, correctly. Thus, the base site connects the 
third party call. Meanwhile, the illegitimate user (704) overpowers the • 
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traffic channel and takes control. The original call between the legitimate 
user (702) and the base site (700) is bst and the legitimate user (702) 
drops out of the traffic channel. As a result, the illegitimate user (704) 
continues the call with the third party that was called and the filling for the 
5 call is sent to the legitimate user (702). 

In FIG. 6, a method of eliminating this form of stealing cellular service 
is shown. This elimination is accomplished by requiring the authentication 
response message from a mobile unit to contain an exclush^e-or of at least 
part of the response message with the dialed digits. Since the legitimate 

1 0 mobile unit does not know the Illegitimate mobile units dialed digits, the 

legitimate mobile unit authenticates incorrectly and the third party call of the 
illegitimate mobile unit does not go through. 

Refening now to FIG.2 and FIG. 6. in particular. FIG. 6 depicts an 
alternative authentication method used by a fixed network communication 

1 5 unit which supports authentication of roaming mobile units. In this 

embodiment an Authentication Request Message (ARM) is received from a 
subscriber communication unit (1 0) (mobile unit) by the fixed network unit 
(20) through a base unit RF stage (21). The ARM preferably includes a 
Mobile Identification Number (MIN), the Dialed Digits (Data) and a Call 

20 Sequence Count. From the received ARM the fixed network unit (20) 
detenrtines whether the received ARM comes from a mobile In its home 
network (602). 

if the received ARM is from a home mobile unit, then the fixed 
network unit (20) determines if the assigned MIN (preferably telephone 

25 number) in its database (23) is the same as the MIN received in the ARM 
(604). A comparison is made between the received MIN from the mobile 
unit (10) and the valid MIN found In the database (23). If the received MIN 
Is not recognized by the fixed network unit (20). sen/ice is denied (or some 
other action is taken) (606). Othenwise, if the received MIN Is determined to 

30 be valid (it is found in the database), then the fixed network unit (20) 

retrieves a Personal Identification Number (PIN) from the database (23) 
and generates a particular random/response pair (RAND/RESP) from this 
PIN (608). The RAND preferably Is a random number and the RESP 
preferably is a number which is generated as a function of the RAND and 

35 the particular subscriber's PIN. In alternative embodiments it will be : 
appreciate that the RESP may be generated as a function of additional 
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elements such as a MIN, Electronic Serial Number, and/or rolling key. 
Subsequently, tiie authentication method continues at step (622). 

Othenvise, if the receh^ed ARM is not from a home mobile, then the 
fixed network (20) checks its database (23) for RAND/RESP pairs for this 
5 visiting mobile unit (610). If the database (23) rantains RAND/RESP pairs 
for this visiting mobile unit, then the fixed network (20) retrieves a particular 
RAND/RESP pair for use in this particular authentteation process (612) and 
continues the authentication process at step (622). Otherwise, if the fixed 
network unit's database (23) does not contain RAND/RESP pairs for this 

1 0 visiting mobile unit, the fixed network unit (20) preferably accesses the 
visiting mobile unit's home network via a PSTN link (60). The home 
network determines if the assigned MIN (preferably telephone number) in 
its database Is the same as the MIN received in the ARM (614). A 
comparison is made between the received MIN from the visiting mot>ile unit 

1 5 and the valid MIN found in the home network's database. If the received 
MIN is not recognized by the home network, service is denied (or some 
other action is taken) (616). Othen^nse, if the received MIN is determined to 
be valid (it is found in the database), then the home network provides 
RAND/RESP pairs for this visiting mobile unit to the visited network unit 

20 (20) preferably via the PSTN link (60) (61 8). The fixed network unit (20) 
stores these received RAND/RESP pairs in database (23) (620). 
Subsequently, the fixed network (20) retrieves a particular RAND/RESP 
pair for use in this particular authentication process (612) and continues 
the authentication process at step (622). 

25 At authentication step (622), the fixed network unit (20) generates a 

RESPd which is a logical function of the RESP associated with the 
particular RAND for this authentication process and the Dialed Digits 
received in the ARM (preferably an XOR function or other non-destructive 
logical function). Subsequently, the fixed netwoik unit (20) issues the 

30 partk:ular RAND to the mobile unit (10) (624). The mobile unit (10) 

generates a RESP from this particular RAND using a particular method 
which is the same method as the one used by the network unit (either 
home or visited network unit). Then, the mobile unit (10) generates a 
RESPd which is a logical function of the mobile generated RESP and the 

35 Dialed Digits sent In the ARM (preferably an XOR function or other non- ; 
destructive logical function) and provides the mobile generated RESPd to 
the fixed network unit (626). The fixed network unit (20) compares this 
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reoeived RESPd to the network unit generated RESPd (628). If they are not 
substantially similar, then service is denied (br some other action is talcen) 
(630). 

Otherwise, if the two RESPd's are substantially similar, then the Call 

5 Sequence Count received In the ARM Is compared to the Call Sequence 
Count maintained by the fixed network unit (10) (632). If the counts are not 
within an acceptable tolerance, then the service is denied, the authorities 
may be notified thai a multiple user is attempting to access the system 
(634) and/or some other appropriate action is taken. Otherwise, if the 

1 0 counts are substantially equal, authentication may be confirmed and 

sen/ice issued (636). At this point, the mobjie unit (1 0) may be allowed to 
communicate with the third communlcaflon unit associated with the Dialed 
Digits received In the ARM and the authentication process Is done (638). 
Rgur« 4 begins with btock 400 wherein the source basesite Is 

1 5 currently using a first encryption process to secure the traffic channel over 
which speech is being communicated between the subscriber unit and the 
source station. Once a handoff is required (405) both the subscriber unit 
and neighboring base sites are used in determining the proper target site 
using well known cell selection techniques. After the proper channel and 

20 target site are Identified, the cunrent handoff count and the session key are 
communicated over the landBne network to the target site (410). The 
subscriber unit is given the new handoff channel over which it will 
communicate with the target unit (415). The subscriber unit and target site 
then modify their handoff count registers (420). 

25 The target site will broadcast a frame count over an RF Hnk to the 

subscriber unit for a short period of time after a channel has been assigned 
(425). The target basesite will cease the broadcast once the subscriber 
unit has acquired the correct frame count. The handoff count is therefore 
maintained by the subscriber unit and source basesite. updated for each 

30 handoff, and is typically unique for each call. The combination of the 

handoff count and the frame count sen/es as a pseudo-secret crypto-sync 
variable. The target site continues communication with the subscriber unrt 
on the target channel by restarting the encryption process using the , 
received handoff count as a new encryption variable (430). 

35 As appreciated by those of ordinary skill in the art. the target unit and 

the source unit may be the same communication unit as in the case of a 
channel handoff between time slots from the same carrier frequency or a 
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transfer to another code in the same time slot as in a code division 
multiplexed system. 

This method of preserving encryption integrity uses a substantially 
random variable as a new encryption variable for the time slot from which 
5 the target site continues communication each time a handoff occurs. It also 
forces the encryption process to start again after each handoff thereby not 
requiring continuous encryption process synchronization between voice 
coders from differing sites or channels. Such an encryption scheme uses 
the pseudo random events of handoffs associated with a subscriber unit, 

1 0 such as between subscribers and various channels, to ensure adequate 
protection from unauthorized listeners. The degree of randomness of the 
number of handoffs that may occur during any given conversation depends 
on such factors as cell size, propagation medium characteristics, receiver 
sensitivities of the subscrit>er unit and base sites, handoff thresholds as set 

15 by the system operator, and various other factors. Consequently, the 

handoff count in microcellular systems arKi in-building systems may vary 
substantially more than a rural system having large cells. Unlike these 
pseudo random events, predictable events such as the time of day or 
absolute frame number (as In a synchronous TDMA system), do represent 

20 adequate encryption variables since they do not offer same degree of 
randomness. The intruder can readily predict an amount of elapsed time 
since the last call or handoff or can readily determine the at>solute frame 
number since it is generally broadcast over the RF medium. In the case of 
a synchronous TDMA system, the target site may determine proper frame 

25 count synchronization from the switch, source site, or other suitable means. 

FIG. 5 shows an bit map for a typical Initialization vector (500) and 
key field (505) for carrying out the method of preserving encryption integrity 
during handoffs. The encryption key field is termed the session key field 
since It is unique for each session or call and changes on a per call baste. 

30 The initialization vector (500) includes the pseudo random encyption 

variable and is maintained by both the subscriber unit and the basesite and 
changes for each slot. The initialization vector (500) contains 32 bits and 
these 32 bits are combined with the session crypto-key (505) to produce 
159 bits needed for each slot. The 32 bits are divided between three 

35 counters: an eight bit handoff counter, a nine bit speech slot counter, and a 
fifteen bit speech slot overflow counter. The handoff counter is updated as 
previously described. The slot counter is given the slot count of the target 
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unit and overflow counter is started from a count of zero at the beginning of 
a call and at every handoff ttiereafter Tlie basesite establishes 
synchronization with the subscriber unit by sending, via RF, the nine bits of 
the slot counter during every slot, for a predetermined time, at the 
5 beginning of its transmission until the target site con^ectly decrypts speech, 
which may be generated using VSELP coding or other suitable speech 
coding method, from the subscriber unit or until the predetermined time 
elapses. 

The session Icey field in combination with the initialization vector are 
1 0 used in an encryption algorithm (510) to generate an output masic (515) 

which Is exclusive ORed (518) with the speech (520) or data. This output is 
then further error coded using known error protection techniques (525). 

The session key and the handoff counts are communicated over the 
landllne network between base sites to prevent detection by RF intruders. 
1 5 Since the subscriber itself maintains a handoff count and the fixed network 
also maintains the count, there is no need to broadcast this information 
over an RF channel thereby keeping the handoff count a pseudo-secret 
crypto-variable. 

The above method provides synchronization for speech encryption 
20 in a system that does not have an absolute frame synchronization scheme 
between base sites. However, as obvious to those of ordinary skill in the 
■ art, the method for preserving encryption integrity during handoff may be 
readily applied to any suitable secure cellular system. Although a count of 
channel handoffs is the preferred pseudo random event, other suitable 
25 pseudo random events may also be used including the number of calls 
made by a given subscriber unit, or the number of power changes a 
subscriber unit undergoes. As appreciated by those skilled in the art, a 
record of pseudo random events may include other representations of the 
events other than a count of such events. Maintaining a count is only one 
30 way of representing events. 

As appreciated by those skilled in the art, numerous alternative 
emt)odiments may be devised without departing from the spirit and scope 
of the claimed invention. 
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CLAIMS 

What is claimed is: 

5 1 . In a telecommunication system using an encryption process, a 
method of subscriber protection comprising: 

(a) maintaining a record of pseudo random events associated 
with a subscriber unit; 

(b) communicating the record to a target radio communication 
1 0 unit; and 

(c) utilizing another encryption process as between the 
subscriber unit and the target radio communication unit using 
the record as an encryption variable. 



15 2. 



The method according to claim 1 wherein the record of pseudo 
random events comprises the record of a number of channel 
handoffs attributed to the subscriber unit. 
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3. A method of authentication and protection between a subscriber unit 
and a central communication unit in a radiotelephone 
communication system, comprising the steps of: 

(a) providing the subscriber unit with a first ID and a terminal 
5 endpoint identifier which uniquely identifies a target 

communication unit other than the central communication 
unit; 

(b) generating a modified first ID in the subscriber unit by 
modifying the first ID as a function of a random number 

1 0 received from the central communication unit; 

(c) modifying the modified first ID in the subscriber unit as a 
function of the terminal endpoint identifier; and 

(d) transmitting via a radio communication linic the modified first 
ID from the subscriber unit to the central communication unit. 

15 

4. The method according to claim 3 wherein: 

(a) the subscriber unit is provided with a second ID; and 

(b) the modified first ID is generated in the subscriber unit by 
modifying the first ID as a function of the received random 

20 number and the second ID. 
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5. A method of authentication and protection between a subscriber unit 
and a central communication unit In a radiotelephone 
communication system, comprising the steps of: 

(a) providing the central communication unit with infonnation 
5 regarding a first ID; 

(b) receiving a request for sen/Ice at the central communication • 
unit from the subscriber unit, the request for service 
comprising a terminal endpoint Identifier which uniquely 
identifies a target communication unit other than the central 

^ 0 communication unit; 

(c) transmitting via a radio communication link a random number 
from the central communication unit to the subscriber unit In 
response to receiving the request for service; 

(d) receiving a modified first ID at the central communication unit. 
^ ^ modified first ID being derived from the first ID, transmitted 

random number and the terminal endpoint identifier; and 

(e) determining in the central communication unit, through the 
use of the received modified first ID, the received tennlnal 
endpolrrt Identifier, the transmitted random number and the 
Information regarding the first ID, If the received service 
request is authentic. 

6. The method according to daim 5 wherein: 

(a) the central communication unit Is provided with a second ID ; 
25 and 

(b) the determining if the received service request is authentic 
further Includes the use of the second ID. 

The method according to claim 5 wherein: 

(a) the central communication unit is a home communication unit 
for the subscriber unit; and 

(b) the Information regarding the first ID is substantially simitar to 
the first ID. 



7. 

30 
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8. The method according to claim 5 wherein: 

(a) the central communication unif Is a visited communication unit 
for the subscriber unit; 

(b) the step of providing the central communication unit with 
5 information regarding a first ID. comprises the steps of: 

(I) determining if the visited communication unit has 
information regarding the first ID; 

(il) retrieving the information regarding the first ID, if the 
visited communication unit has the information 
1 0 regarding the first ID; and 

(iii) communicating with a home communication unit for the 
subscriber unit, subsequently retrieving the information 
regarding the first ID, and subsequently storing the 
Information regarding the first ID in the visited 
1 5 communication unit, if the visited communication unit 

does not have the information regarding the first ID. 
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A method of authentir^ation and protec-on between a subscriber unit 
and a central communication unit In A radiotelephone 
communication system, comprising the steps of: 

(a) providing the subscriber unit with a first ID and a terminal 
endpolnt identifier which uniquely identifies a target 
communication unit other than the central communication 
unit; 

(b) providing the central communication unit with information 
regarding the first ID; 

(c) transmitting via a radio communication link a request for 
service from the subscriber unit to the central unit, the request 
for service comprising the terminal endpoint identifier; 

(d) receiving the request for service at the central communication 
unit; 

(e) transmitting via a radio communication link a random number 
from the central communication unit to the subscriber unit; 

(f) receiving the random number at the subscriber unit; 

(g) floneraflng a modified first ID In the subscriber unit by 
modifying the first ID as a function of the received random 
number; 

(h) modifying the modified first ID In the subscriber unit as a 
function of the terminal endpoint identifier: 

(I) transmitting via a radio communication link the modified first 
ID from the subscriber unit to the central communication unit; 

0) receiving the modified first ID at the central communication 
unit; and 

(k) determining in the central communteation unit, through the 
use of the ri eived modified first ID, the received tenninal 
endpoint identifier, the transmitted random number and the 
information regarding the first ID. If the received servtoe 
request is authentic. 
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1 0. The method according to claim 9 wherein: 

(a) the subscriber unit is provided' with a second ID; 

(b) the central communication unit is provided with the second ID; 

(c) the modified first ID is generated in the subscriber unit by 
modifying the first 10 as a function of the received random 
nunnber and the second ID; and 

(d) the determining if the received service request is authentic 
further includes the use of the second iD. 
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